103045 2003-05-31 00:19 /8 rader/ Dave Ahmad <da@securityfocus.com> Importerad: 2003-05-31 00:19 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <5078> Ärende: iDEFENSE Security Advisory 05.30.03: Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability ------------------------------------------------------------ David Mirza Ahmad Symantec 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 Sabbe Dhamma Anatta (103045) /Dave Ahmad <da@securityfocus.com>/-------- Bilaga (text/plain) i text 103046 103046 2003-05-31 00:19 /126 rader/ Dave Ahmad <da@securityfocus.com> Bilagans filnamn: "05.30.03.txt" Importerad: 2003-05-31 00:19 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <5079> Bilaga (text/plain) till text 103045 Ärende: Bilaga (05.30.03.txt) till: iDEFENSE Security Advisory 05.30.03: Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 05.30.03: http://www.idefense.com/advisory/05.30.03.txt Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability May 30, 2003 I. BACKGROUND The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern OS' including Unix and Microsoft Corp.'s Windows. More information is available at http://httpd.apache.org/ . The Apache Portable Runtime (APR) provides a free library of C data structures and routines, forming a system portability layer to as many OS' as possible. More information is available at http://apr.apache.org/ . mod_dav is an open-source Apache module that provides Distributed Authoring and Versioning (DAV) capabilities to the Apache HTTP Server. More information is available at http://www.webdav.org/mod_dav/ . II. DESCRIPTION Passing an overly long string to the apr_psprintf() APR library function that is used by the Apache HTTP Server could cause an application to reference memory that should have already been returned to the heap allocation pool. Arbitrary code execution remains a possibility but has not been substantiated at the time of publication of this report. Considering the strict conditions necessary for successful code execution, it would be feasible but difficult to develop an exploit capable of functioning outside of a lab environment. III. ANALYSIS The remote denial of service aspect of this vulnerability can be exploited if a remote attacker is able to pass large strings to the vulnerable function, as is the case in the mod_dav attack vector, where a specially crafted XML object request of approximately 12250 bytes crashed HTTP Server running on a non-Windows OS; approximately 20000 characters crashed it on a Windows OS. IV. DETECTION Applications that rely on older versions of APR are vulnerable. A list of such projects is available at http://apr.apache.org/projects.html#open_source . Both the Windows and Unix implementations of Apache HTTP Server 2.0.37 through 2.0.45 inclusive are vulnerable. V. WORKAROUND The following patch should mitigate this vulnerability: - - --- srclib/apr/memory/unix/apr_pools.c 7 Mar 2003 12:12:43 -0000 1.195 +++ srclib/apr/memory/unix/apr_pools.c 8 May 2003 20:11:14 -0000 @@ -976,7 +976,7 @@ if (ps->got_a_new_node) { active->next = ps->free; - - - ps->free = node; + ps->free = active; } ps->got_a_new_node = 1; VI. VENDOR FIX Apache HTTP Server 2.0.46, which contains updates for APR, can be downloaded at http://httpd.apache.org/download.cgi . VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0245 to this issue. VIII. DISCLOSURE TIMELINE 03/19/2003 Issue disclosed to iDEFENSE 04/08/2003 iDEFENSE Labs initial research complete 04/09/2003 security@apache.org contacted 04/09/2003 Response from Lars Eilebrecht and Bill Rowe of Apache 04/11/2003 Response from Ian Holsman of Apache 05/08/2003 Response from Mark Cox of Apache 05/08/2003 Initial Research and patch Submitted to iDEFENSE by Joe Orton of Apache 05/09/2003 Apache patch verified by iDEFENSE Labs 05/12/2003 vendor-sec list notified 05/26/2003 iDEFENSE clients notified 05/30/2003 Coordinated Public Disclosure Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPtfBkvrkky7kqW5PEQLpoACfZbcO/qJ0WbCRGj/oKXFFImvgpTYAn0UB OFmhMmVLLiDuaGPQtTcbGnJN =Icpc -----END PGP SIGNATURE----- (103046) /Dave Ahmad <da@securityfocus.com>/(Ombruten)